Snap security questions

Jamie Strandboge jamie at canonical.com
Mon Feb 6 20:13:42 UTC 2017


On Fri, 2017-02-03 at 19:59 +0800, James Henstridge wrote:
> On 1 February 2017 at 22:46, Jamie Strandboge <jamie at canonical.com> wrote:
> > 
> > On Wed, 2017-02-01 at 20:33 +0800, James Henstridge wrote:
> > > 
> > > 2. Use of the libapparmor aa_is_enabled and aa_query_label APIs
> > > 
> > > When deciding whether to do work on behalf of a client,
> > > thumbnailer-service uses a couple libapparmor API calls to determine
> > > whether the client has access to a file.  Neither of these are working
> > > under snappy confinement.
> > > 
> > > The first call we use is aa_is_enabled(), but it seems the policy is
> > > to strict to let us determine whether AppArmor is enabled or not.
> > > 
> > > Next we use aa_query_label() to perform the file access check.  This
> > > fails when trying to read /proc/$pid/mounts to determine where
> > > securityfs is mounted.  If that is fixed, it will likely fail when
> > > trying to access the "/sys/kernel/security/apparmor/.access" file
> > > within.
> > > 
> > > I've filed a bug for this one here:
> > > 
> > > https://bugs.launchpad.net/snappy/+bug/1660957
> > This needs some more thought since only "trusted helpers" that are doing
> > some
> > form of mediation themselves need this access. Adding it to the dbus
> > interface
> > by default isn't correct since, for example, ktuberling shouldn't be asking
> > about the security contexts of other snaps (not to mention, this doesn't
> > really
> > have anything to do with the dbus interface). I've assigned it to me and
> > will
> > think about it and will comment in the bug/propose a PR where we can discuss
> > further.
> Since it looked like we'd need a specialised snappy interface for
> thumbnailer, I had a go adding the rules necessary to enable
> aa_query_label() there.  If thumbnailer turns out to be the only snap
> needing this API, or the other snaps needing it also require custom
> interfaces, then perhaps this is a reasonable place to put the rules.
> 
> Of course, once I got my interface up and running, I ran into
> https://bugs.launchpad.net/apparmor/+bug/1620635 again.  I've put my
> in-progress branch up for review here:
> 
> https://github.com/snapcore/snapd/pull/2783

Thumbnailer isn't the only one that needs this, but I suspect putting the rules
in a specialized interface like you did in this PR will be the way to do this.
There is an effort to refactor the way interface policy is put together and when
doing that we'll do something like 'give me all the seccomp rules needed for
connecting to a dbus service'. We can do something similar for the libapparmor
access such that each interface that needs libapparmor in this manner can say
'give me all the apparmor rules needed for using libapparmor as a trusted
helper'.

Thanks for the PR! :)

-- 
Jamie Strandboge             | http://www.canonical.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20170206/89c79f38/attachment.sig>


More information about the Snapcraft mailing list